just another infosec blog

NoSQL prevalence

A database is an organized collection of data. It is the collection of schemas, tables, queries, reports, views and other objects. It’s also a framework for frustration.Trying to get a grip on data organized into a model of aspects in a way that supports processes requiring information, such as modelling the availability of rooms in motels in a way that supports finding a motel with vacancies. It’s frustrating since a minor change takes a great effort to implement since the data structure must be known in advance. You can’t just add data as you go. For example, you might want to store data about your customers such as phone numbers, first and last name, address, city and state – a SQL database needs to know what you are storing in advance.

NoSQL is quite different. As long as you got control of CRUD it doesn’t care much about the structure. You can simply CRUD anytime and anywhere you need it, as long you got an interface supporting your own structure. This makes NoSQL very agile and many success stories has brought our attention to it.

Due to its ease of use it is becoming more and more popular. But how much exactly? Today I’ll shed some lights on this.

Prevalence

There’s been an increase in media coverage on NoSQL. Success stories about developers doing NoSQL seems to be the rage, at least in Norway. This triggers me to look more into the prevalence of NoSQL. Luckily, it’s easy to look up how popular NoSQL is thanks to the DB-Engines Ranking which ranks database management systems according to their popularity monthly.

I’ve taken the liberty to snag some screenshots showing the top ten ranking for databases in general, key-value stores, document stores and search engines.

Databases in general

To get a clear overview we start with a top ten list of all database systems. From the screenshot below we see that traditional DBMS’s is still the most preferred way to store data. We also see that there are indeed some NoSQL’s featured in the top ten list. This means that they are gaining momentum.

Key-value stores

Key-value stores are useful and this list shows which is the most popular. To no surprise Redis is at the top.

Document Stores

Document-Stores may be the most interesting NoSQL category, IMHO. There’s been much fuzz about MongoDB lately and it comes as no surprise that MongoDB is really popular. One odd thing is that Couchbase is more popular than CouchDB. I thought the opposite for whatever reason!

Search Engines

I’ve included search engines as a category of its own. The reason for this is that search engines typically store data in a NoSQL way. Finding Elasticsearch at first position came as no surprise. It’s a great tool that also acts as a document store. If you are a frequent reader you might remember the piece I wrote on it some years ago.

A look at the first positions

The screenshots above shows that MongoDB, Elasticsearch and Redis are quite popular and subjects worth looking into. Given how widespread these are I bet there are many instances of said products open accessible on the Net. Let’s look into how many we can find using Shodan.io.

I’ve based my research on a simple product search paired with their default listening port(s). The search was split into two periods – first week of July and then another one two weeks later. This approach yielded some interesting results, as can be seen in the following table.

Product

Shodan.io findings #1

Shodan.io findings #2

MongoDB

32131 entries

42260 entries

Elasticsearch

6874 entries.

7463 entries.

Redis

26920 entries

27466 entries

From the initial search we see that there are quite few systems available. Compared to the second search we see that there has been an increase in available systems. This builds upon that NoSQL is gaining speed.

The information found further states that there may be a chance of finding sensitive data. I stress “may” since I haven’t looked into what these databases contains. From past experience I know that there exist databases out there where someone crammed everything and the kitchen sink into it. Including usernames and passwords. And that’s bad. Very bad.

Conclusion

From the numbers found I draw the conclusion that I need to look further into NoSQL. Namely MongoDB. I’ve used it many times as a developer, but I think this is the time to look into it with a security mindset.